Cybercrime investigation and the protection of personal data and privacy Rob van den Hoven van Genderen, Vrije Universiteit law faculty, r.vandenhovenvangenderen@rechten.vu.nl 2008 1
Key questions How can the tension between privacy protection and criminal investigation be regulated at acceptable levels How secure are the guarantees and safeguards of Article 15 CoC in this respect concerning special competences of investigative authorities in cybercrime? 2008 2
Article 8 ECHR 1. Everyone has the right to respect for his private and family life, his home and correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. 2008 3
Concept of privacy The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information (David Calcutt, uk priv. cty) Inviolability of the individual, the individual's independence, dignity and integrity (Edward Bloustein) Three elements in privacy: secrecy, anonymity and solitude (Ruth Gavison). 2008 4
Personal data Personal data is any information concerning identified or identifiable natural persons. This considers any data that results in information on any natural person on his behavior, ideas and way of living. Even if the name of this person is not mentioned it can be defined as personal data if the identity of the person can be defined without to much extra effort 2008 5
Personal data Data (or information) that relate to, and allow identification of, individual physical/natural persons (and sometimes groups or organisations Personal data means any information relating to an identified or identifiable individual (identifiable) Personal data (and its protection) is defined as far as it can practically derived from any source is considered to be extending in a continuous pace 2008 6
Processing of personal data Collection, registration, storage, use and/or dissemination of personal data Any data: Images, texts, sounds, physical data Police-data: any data concerning an identified or identifiable natural person that is being processed in the exercise of the police task Article 18/19 CoC: production order/seizure 2008 7
2008 8
Changing value? In the equilibrium between security and privacy, the weight seems to be shifting towards security protection by giving up on human rights, including the protection of privacy 2008 9
Council of Europe Convention for the protection of individuals with w regard to automatic processing of personal data (ETS 108) Article 6 Special categories of data Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. The same shall apply to personal data relating to criminal convictions. But.except for Article 9:a protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences; 2008 10
How important? Two thirds of Dutch population agrees with giving up on privacy if this increases security, related to the war on terrorism. IKON TV, 2004 2008 11
2008 12
General principle State clearly the principles that are applicable on the processing of personal data as described, inter alia, the Cybercrime Convention and national law in more specific ways than general reference to international human right conventions and henceforth should oblige the investigative authorities to handle accordingly 2008 13
Minimal Applicable principles Fair collection principle: : personal data should be gathered by fair and lawful means Proportionality (minimalist) principle Clear description principle: : the criminal behaviour or act or connection of the concerned subject has to clearly described in the Code of criminal law Purpose specification: : personal data should be gathered for specified and lawful purposes Information of the data subject: Information of the data subject shall provide for complete provisions including the identity of the data controller, the possible recipients and the legal basis for processing. Any restrictions shall be precise and limited and based on law. (Sensitive) Data categories: the processing of special categories of data is prohibited unless specific conditions are met and specific guarantees are foreseeing in the national legislation (conforms to Article 8 EU Directive, Article 6 Convention 108). Categories of data subject: It is a requirement of the principle of proportionality to reintroduce distinctions between the different categories of data subject concerned by the processing for police and law enforcement purposes Accountability principle: authorities responsible for processing personal data should be accountable for complying with the above principles. 2008 14
How to deal with privacy in investigations More crystallised application of Article 15 Cybercrime Convention Defining personal data in the Cybercrime Convention and related national laws Specification of criminal intelligence and supportive actions in investigations Separation between general collection of personal data and obvious criminal procedure with a clear suspect Clear specification of use of instruments and procedures for investigation Exceptions must be clearly specified by law Applicable data protection principles should be integrated in the Cybercrime Convention 2008 15